nginx.git/src/http, branch release-1.3.8 nginx Event pipe: fixed handling of buf_to_file data. 2012-10-30T11:14:24+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-30T11:14:24+00:00 8e67fb4226e6357477f32fbdd1443fb2bdd00b69 Input filter might free a buffer if there is no data in it, and in case of first buffer (used for cache header and request header, aka p->buf_to_file) this resulted in cache corruption. Buffer memory was reused to read upstream response before headers were written to disk. Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer start if we were asked to free a buffer used by p->buf_to_file. This fixes occasional cache file corruption, usually resulted in "cache file ... has md5 collision" alerts. Reported by Anatoli Marinov. 
Input filter might free a buffer if there is no data in it, and in case
of first buffer (used for cache header and request header, aka p->buf_to_file)
this resulted in cache corruption.  Buffer memory was reused to read upstream
response before headers were written to disk.

Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer
start if we were asked to free a buffer used by p->buf_to_file.

This fixes occasional cache file corruption, usually resulted
in "cache file ... has md5 collision" alerts.

Reported by Anatoli Marinov.
Variables $connection and $connection_requests. 2012-10-29T17:17:59+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-29T17:17:59+00:00 1e12e7fa1db39cf256d2219c394c118f3175053d Log module counterparts are removed as they aren't used often and there is no need to preserve them for efficiency. 
Log module counterparts are removed as they aren't used often and
there is no need to preserve them for efficiency.
ngx_http_keepalive_handler() is now trying to not keep c->buffer's memory for 2012-10-23T14:36:18+00:00 Valentin Bartenev vbart@nginx.com 2012-10-23T14:36:18+00:00 09dca40b332cf6c349bff409a9f993d04df35f12 idle connections. This behaviour is consistent with the ngx_http_set_keepalive() function and it should decrease memory usage in some cases (especially if epoll/rtsig is used). 
idle connections.

This behaviour is consistent with the ngx_http_set_keepalive() function and it
should decrease memory usage in some cases (especially if epoll/rtsig is used).
Gunzip: fixed r->gzip_ok check. 2012-10-18T14:27:40+00:00 Maxim Dounin mdounin@mdounin.ru 2012-10-18T14:27:40+00:00 27b7eb17d081340515cd7ee3771d68af1c6d8267 






OCSP stapling: properly check if there is ssl.ctx.
2012-10-05T11:09:14+00:00

Maxim Dounin
mdounin@mdounin.ru

2012-10-05T11:09:14+00:00

0d7a7e91cf57981e89dafb44794dcb9563e8a3fa

This fixes segfault if stapling was enabled in a server without a certificate
configured (and hence no ssl.ctx).





This fixes segfault if stapling was enabled in a server without a certificate
configured (and hence no ssl.ctx).







Variable $bytes_sent.
2012-10-03T15:25:36+00:00

Maxim Dounin
mdounin@mdounin.ru

2012-10-03T15:25:36+00:00

82989420adcf0cb4e0f00e5f689cb59554e4c24c

It replicates variable $bytes_sent as previously available in log module
only.

Patch by Benjamin Grössing (with minor changes).





It replicates variable $bytes_sent as previously available in log module
only.

Patch by Benjamin Grössing (with minor changes).







Log: $apache_bytes_sent removed.
2012-10-03T15:25:06+00:00

Maxim Dounin
mdounin@mdounin.ru

2012-10-03T15:25:06+00:00

a707811a31455979744e0c456882dd0fa2e9e139

It was renamed to $body_bytes_sent in nginx 0.3.10 and the old name is
deprecated since then.





It was renamed to $body_bytes_sent in nginx 0.3.10 and the old name is
deprecated since then.







SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
2012-10-03T15:24:08+00:00

Maxim Dounin
mdounin@mdounin.ru

2012-10-03T15:24:08+00:00

c846871ce106e0fbe4c27a48a4c3378f18cd03f8

This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.





This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.







Version bump.
2012-10-03T15:22:18+00:00

Maxim Dounin
mdounin@mdounin.ru

2012-10-03T15:22:18+00:00

f8cc8969d52211530c0eba3d28e0cb03d4f958b3












OCSP stapling: ssl_stapling_verify directive.
2012-10-01T12:53:11+00:00

Maxim Dounin
mdounin@mdounin.ru

2012-10-01T12:53:11+00:00

bec2cc5286e5888eb1de9462f7c64b922967b47b

OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.





OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.